Cyber Security Threat Summary:
A new PowerShell malware called "PowerDrop" specifically targets the U.S. aerospace defense industry. The cybersecurity firm Adlumin, found a sample of this malware in the network of a defense contractor in the U.S. PowerDrop utilizes PowerShell and Windows Management Instrumentation (WMI) to establish a persistent remote access trojan (RAT) within the compromised networks. The tactics employed by the malware fall somewhere between "off-the-shelf" malware and sophisticated advanced persistent threat (APT) techniques. Based on the timing and targets of the attacks, it is highly probable that the perpetrator behind the malware is a state-sponsored entity. PowerDrop is a PowerShell script that operates as a backdoor or remote access trojan (RAT) by leveraging the Windows Management Instrumentation (WMI) service. To conceal its malicious nature, the script is encoded using Base64. Through analysis of system logs, researchers determined that the malicious script was executed by utilizing pre-existing WMI event filters and consumers named 'SystemPowerManager.' These components were created by the malware itself after compromising the system, employing the 'wmic[.]exe' command-line tool.

“WMI is a built-in Windows feature that allows users to query local or remote computers for various information. In this case, it is being abused to trigger PowerShell command queries for updates to a performance-monitoring class. The particular class is frequently updated with performance-related information such as processes, threads, system calls/sec, and queue length, so planting a malicious event trigger every two minutes is unlikely to raise suspicions. "The WMI event filter is triggered when the WMI class is updated, which then triggers the execution of the PowerShell script," explains Adlumin in the report. "Triggering by the filter is throttled to once every 120 seconds so long as the WMI class has been updated." Once the PowerDrop script is active, it sends a hardcoded ICMP echo to its C2 server address, beaconing that a new infection is active” (Bleeping Computer. 2023).

The ICMP trigger payload consists of a UTF16-LE encoded string that is not obfuscated. This encoding aids the command-and-control (C2) infrastructure in differentiating it from random probes. After transmitting the beacon to the C2 server, the malware enters a 60-second waiting period, anticipating a response from the C2. This response arrives as an encrypted and padded payload, which contains a command to be executed. To decrypt the received payload, the malware employs a predefined 128-bit AES key and a 128-bit initialization vector. Once decrypted, the malware proceeds to execute the command contained within the payload on the infected host. In cases where the results are too large, the malware employs strategy of diving them into smaller 128-byte chunks. These smaller chunks are then sent as a series of multiple messages.

Security Officer Comments:
According to Adlumin's findings, the combination of PowerShell and WMI, along with the absence of a ".ps1" script file that would leave traces on the disk, enhances PowerDrop's stealthiness. The malware ensures secure communications through AES encryption. Additionally, the use of the ICMP protocol for beacon signaling is a common network communication method, reducing the chances of detection. Moreover, the malware employs a 120-second interval between malicious network traffic, further lowering the risk of being discovered.

Suggested Correction(s):
To effectively combat this threat, organizations, particularly those in the aerospace defense industry, should maintain a high level of vigilance. This includes monitoring PowerShell execution and being attentive to any unusual WMI activity that may indicate the presence of PowerDrop. Adlumin recommends running vulnerability scanning at the core of Windows systems and being on the lookout for unusual pinging activity from their networks to the outside.

Adlumin has produced the following detections to help identify potential instances of this malware both on the endpoint and through captured or monitored network traffic:

Link(s):
https://adlumin.com/post/
https://www.bleepingcomputer.com/